Security Bulletin for 13 July 2026: Unauthenticated SQL Injection in the WordPress plugin Booking Package
13 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. July 13 was quiet for our audience: no Shopware notice, no PHP core release and no new vendor advisory first published that day. We pick out the single WordPress item whose National Vulnerability Database record was updated on July 13.
CVE-2026-15335 — Unauthenticated SQL Injection in Booking Package (high)
The Booking Package plugin contains a login-free SQL injection in all versions up to and
including 1.7.20. The REST endpoint /wp-json/booking-package/v1/request is registered with
permission_callback: __return_true and is therefore reachable by anyone; the value supplied
through the email form field is placed into an existing database query without sufficient
escaping. Making matters worse, WordPress’s wp_magic_quotes safeguard does not apply to
$_POST values delivered through the REST interface, so single quotes reach the SQL processing
intact. An attacker without an account could thereby append additional queries and read data
from the database. Practical exploitability is, however, considerably constrained, because the
value first passes through WordPress’s is_email() function — a malicious value must still be
accepted as a valid email address. The National Vulnerability Database assigns a CVSS score of
7.5 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), classifies the flaw as high and assigns it
to weakness class CWE-89 (SQL injection). No corrected version is named as of writing; all
releases up to and including 1.7.20 are affected. Until a patch is available, operators should
restrict or monitor the affected REST endpoint via a web application firewall or access rule,
disable the plugin if it is not needed, and watch the vendor’s changelog so the fix can be
applied without delay once released.
Sources: National Vulnerability Database — CVE-2026-15335 · CVE Record — CVE-2026-15335
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.